- 18 Dec 2022
- 4 Minutes to read
- Print
- DarkLight
- PDF
Compiling a User Inventory
- Updated on 18 Dec 2022
- 4 Minutes to read
- Print
- DarkLight
- PDF
Watch the “Compiling a User Inventory” video, or read below.
Compiling a User Inventory
A user inventory is a complete list of every user account across the varied systems of an organization. User accounts are generally associated with a wide range of platforms — from databases to applications, from directory services, to identity and access management platforms. They serve a number of purposes, including user authentication, authorization, and accounting controls. Compiling an aggregated user account inventory can inform a wide array of administrative, operational, and technical security workflows.
Customers commonly use Axonius to identify and compile a complete, up to date, user inventory to query, track, and monitor a wide range of user attributes, characteristics and conditions.
User Inventory Challenges
Like device inventories, the sheer number of user accounts that exist across an enterprise result in challenges obtaining a single, consolidated inventory for user information. Almost every application, database, and compute platform across an enterprise has their own associated (and siloed) user account inventory.
Even when organizations attempt to pull together some subset of these user inventories, they run into challenges similar to obtaining a complete user inventory. These include:
- Fragmented administrative ownership across systems and platforms
- Developing, managing, and maintaining integrations to the various data sources
- Managing the rate of user characteristic changes across each source and historically across all sources
- Widely varied naming conventions making correlation rules complex and difficult.
Most enterprises have opted to forgo a complete inventory. Instead, they focus on identity and access management (IAM) solutions for their most critical applications and databases.
Recommended Data Sources
The following data sources are commonly used to compile a comprehensive user inventory:
Directory services are an important baseline for users. They can help with user data correlation from other sources, simply because of the abundance of data objects typically populated in directory services. This could include a directory services platform like Microsoft Active Directory (AD) or cloud directory services like Microsoft Azure AD, AWS Directory Service, GSuite and OneLogin.
Identity and access management solutions are great sources because they are typically expansive in terms of enterprise-wide employee and user coverage and contain information about user security and access groupings, and access to specific applications and services.
Other common sources you can leverage to find information on users include:
- Digital management and intelligence tools, like DynaTrace and NextThink
- Third party intelligence sources like Shodan, Censys, HaveIBeenPwnd
- Privilege management tools, like CyberArk and BeyondTrust
- Configuration and patch management tools, like Chef, Jira, and SCCM
- Human resource management tools, like ADP, Workday and BambooHR
- Remote conferencing tools, like Zoom and Cisco Webex
How to Compile a User Inventory with Axonius
By connecting to the management consoles of platforms with user data associated, Axonius can identify key indicators that are useful for finding users. On the aggregate level, Axonius can search for the following data fields in order to help identify users. Many more specific fields from various adapters can also be queried in addition to those listed in this table.
Example Queries:
Simple queries can be built to find users and user information in Axonius, ranging from the broadest possible scenario to the most detailed.
Let’s take a look at a couple of queries for finding users and compiling a user inventory.
Finding all admin users
This query can be represented in the Axonius Query Wizard as:
The query finds all users that have admin access rights. Here’s an example of the returned results:
Finding Admin Users with Outdated Passwords
We can add other filter criteria to see if the admin users are adhering to security policies. Let’s say our security policy states that all admin users need to change their password every 180 days. The following query can find admin users who haven’t changed their passwords in over 180 days:
Here’s an example of the returned results:
Finding All Active Windows Users With No Password Required
A bit more complex query could involve multiple fields or parameters. Let’s say we know that our organization has an issue with employees disabling or not requiring passwords for the Windows devices.
In this case we would want to find all Windows users (associated with AD), with active accounts, that do not require a password. You can do so using the following query:
After running the query, it appears that there are 44 active Windows users without passwords required.
Here’s an example of the returned results:
Example Enforcement Actions
If deviance from security policies or other security issues are found when conducting queries on users in Axonius, a number of options are available to alert teams without any human intervention needed.
Any time a saved query surfaces user-related security concerns, security and risk teams can take actions including:
- Enable/disable users in Microsoft Active Directory
- Sending a Slack message with details to notify team members
- Creating a helpdesk ticket in ServiceNow, Jira, Zendesk, etc. to notify IT and security teams
- Adding a tag in Axonius for internal tracking purposes
- Enriching the user data with HaveIBeenPwnd to identify users in breaches, pastes and pwned passwords identified by the 'Have I Been Pwned' (HIBP) website.
For more details, see Action Library.